4 Steps Security Can Take to Prevent Kidnapping

THINK KIDNAPPING IS NOT A RISK FOR YOUR ORGANIZATION? THINK AGAIN. KIDNAPPING AND HOSTAGE EXPERT CHRIS FALKENBERG TELLS US WHY THE THREAT IS REAL, AND WHAT YOU CAN DO TO MINIMIZE THE RISK

By JOAN GOODCHILD

SENIOR EDITOR

APRIL 8, 2009

As the economic crisis continues to heat up, Chris Falkenberg believes the potential for kidnapping will, too.

“The biggest risk for kidnapping of adults is among people in the financial services business,” said Falkenberg, president of Insite Security, a New York based consultancy that offers security services and analysis. “Particularly those who have a great deal of publicity about their wealth and their business success.” Kidnappers are motivated by money, and potential victims are the people who make the most, said Falkenberg, who noted that executive compensation is easier than ever find thanks to SEC disclosure rules.

Assessing an organization’s risk for a potential executive or staff abduction involves several factors. While executives may be more at risk in the United States, in many other countries, all employees face danger, especially if the country is impoverished. Falkenberg, a former Special Agent in the U.S. Secret Service, outlines preventative measures companies can consider to minimize kidnapping risk.

Counter surveillance, according to Falkenberg, basically takes the regular security guard position and “turns it inside out.” In addition to having personnel manning the gate, a counter-surveillance program has personnel who are watching to see who is watching others.

A good program could include a team that conducts surveillance at a facility, residence, or any given location, and keeps tabs on who is watching the target. This means looking for people who might be walking back in forth frequently in front of a location, taking video or photographs, counting footsteps to determine the measurements of a given location.

“Anything someone is doing from a public area to gain information which could be used in a crime and detecting who is doing that,” said Falkenberg to describe the kind of intelligence that should be gathered.

A counter-surveillance program might also use CCTV infrastructure in a proactive way, he said. “CCTV is primarily utilized in the forensic capacity, once a crime has occurred,” said Falkenberg. “But a counter-surveillance team can use all of the intelligent video in a proactive means, particularly if you have the ability to identify cars and license plates to keep an eye out for who seems to be in your perimeter, collecting information about scheduling, comings and goings,and transportation routes.”

Utilize GPS

Falkenberg recommends companies put in place technology to be able to receive GPS transmissions from cell phones or emergency GPS transmitters. While this technology may only go so far because the device will likely be taken from the victim, in some scenarios, it could still aid in rescue. And as technology advances, GPS will become even more useful.

“There is some technology coming out in which you can program a cell phone to send out a distress signal,” said Falkner. “What we are using with some clients is a handheld GPS transmitter which you can essentially use as a portable panic button. It triangulates to where it transmits. That can be used for a security department to learn where a kidnapping has occurred.”

Train employees on how to behave

As Falkenberg pointed out before, kidnappings are planned events. Kidnappers don’t often consider what they will do if the victim takes some drastic action to thwart the abduction. “It’s really infrequent, in the history of kidnapping, if victim runs away, or if they make a u-turn, that kidnappers will actually pursue a victim and kidnap in a static environment.”

When an event takes place, victims find themselves forced into vehicles with commands shouted at them like “Get in the car! We are going to kill you!” While this is terrifying, it is actually much easier to turn the situation to your advantage at that point than it is once you are incarcerated, said Falkenberg.

But this kind of reaction to threats is not second nature to people, said Falkenberg. It is something that has to be learned. He recommends talking with employees about what to do if threatened and rehearsing it. It is important, he said, for people to feel comfortable that if there is a kidnapping, they can react, have some muscle memory of how to react, and have some confidence that it is the correct step.

“It is a great challenge to train people to think effectively during emergencies,” said Falkenberg. “But it is very important because you have a real chance in the beginning to terminate the situation. If you can, you are much better off than getting in the car, or the van, where the realm of outcomes becomes worse.”

Falkenberg also recommends companies train employees about how to act as hostages in the event that they are abducted. Tips include touching everything in sight to leave lots of fingerprints and talking to the kidnappers so they see you as a human, not an object. Falkenberg recommends mentioning family, children, and other personal facts that may aid in getting them to see you as a person.

Consider families, too

“It’s one thing to kidnap the president of a company,” said Falkenberg. “Who knows what will happen? But if it involves the president’s kid? That situation has to be resolved immediately and the kidnappers know it. It is a far greater danger.”

Potential vulnerabilities don’t stop with the executive. Companies need to consider the family component of protection for executives, said Falkenberg. A crisis management and continuity plan for the family outside the office is key.

However, the family component can’t really be addressed with the same techniques used for employees because families are not going to tolerate the kind of protection that c-level executives tolerate at work. Also, it is just not cost effective. But Falkenberg believes there are several ways an organization can improve security for the executive and his/her family outside of work by leveraging existing resources. Training family about potential dangers and how to behave if someone attempts to abduct them is essential. But so is training of household staff members.

“Many executive have a household staff. They can be trained in the tools and skills of counter surveillance,” said Falkenberg. “They may have more information about the comings and goings than the family, particularly because some executives have multiple homes.”

Countering Threats: Insite Security shields its clients against kidnappers and other criminals who prey on the wealthy.

BUSINESS MANAGEMENT – PRACTICE DEVELOPMENT

SEPTEMBER / OCTOBER 2009

By CAREN CHESLER

It remains one of the most horrific kidnappings in history. In April 1992, Exxon executive Sidney Reso was kidnapped in his own driveway in wealthy Morris Township, N.J. Bound and gagged, he was put in a six-by-three-and-a-half foot wooden box, which was left in a metal storage room without ventilation or electricity. The 57-year-old father of five was left there for four days, lying in his own waste and given little more than water and vitamins. On the fifth day, his kidnappers returned to find him dead. Yet they continued to demand $18.5 million in ransom for eight weeks before finally being apprehended.

Reso wasn’t the first wealthy executive to be abducted and he certainly won’t be the last, which is why some of the country’s wealthiest families have hired New York City-based Insite Security Inc.

The firm’s CEO, Chris Falkenberg, a former Secret Service agent and litigator, counts celebrities, such as Martha Stewart and Ralph Lauren, as well as movie stars and hedge fund managers among his clients. The firm has so many clients in hedge-fund heavy Connecticut, it opened a four-person office in Greenwich. Falkenberg founded the firm in 2002.

“I think the most important thing we do is prevent kidnappings and respond to them,” Falkenberg says. “It is the number one threat because it is exactly the type of crime focused against our client base. Our clients have an enormous amount of money and, therefore, they are attractive to kidnappers.”

His firm, which employs law enforcement veterans who formerly worked for the Secret Service, the Federal Bureau of Investigation and the U.S. Marshals Service, as well as several police departments, has about a dozen clients for which it provides security services on a retainer basis.Monthly fees range from $8,000 to $12,000. The firm also performs discreet services, such as installing home security systems, which could cost $40,000 to $60,000.

The range of services Insite provides varies, depending on the client’s level of risk. An executive with a company that does animal testing or sells fur, for instance, faces a higher risk, as do executives who have received a lot of publicity because of their wealth or been involved in a high-profile termination of an employee, according to Falkenberg.

Kidnapping, however, is a threat to anyone with a lot of wealth. Kidnappings are on the rise internationally, experts say, partly due to organized crime activity in countries such as Brazil and Russia, and the drug trade run out of countries such as Mexico, where kidnapping has become a lucrative criminal activity. That’s made border states like Arizona, Texas and California greater security risks, says Falkenberg.

Apparently, Connecticut has its risks as well. In 2003, billionaire hedge fund manager Eddie Lampert was kidnapped at gunpoint while leaving work. Several ex-convicts found Lampert, who at the time owned the $9 billion private investment fund ESL Investments Inc., by going into the prison law library in jail and typing in “richest guy in Connecticut,” Falkenberg says. They nabbed him at work after seeing that he went in every Saturday and parked in the same spot that had his name on it. He was held for ransom for two days before talking his way out of it.

Falkenberg feels one of the benefits his firm brings to clients is the ability to respond to such situations on a moment’s notice. Law enforcement agencies, in contrast, may not act with urgency until they’ve established whether a kidnapping has occurred, he says.

To help prepare for kidnapping situations, Falkenberg recently hired the FBI’s former lead hostage negotiator, Christopher Voss. Experts say the first 24 hours of a kidnapping are considered the most crucial, in terms of keeping the victim alive, Falkenberg notes. The presence of Voss will assist the firm when it needs to act quickly, he adds.

“Given that so many of our clients are U.S.-based, and so many [domestic] kidnappings result in homicides, we just can’t not have that capability in house,” Falkenberg says.

Voss says kidnappings are like Russian roulette. Most of the time, victims are unharmed. But when something does go wrong, the results can be disastrous. In the U.S., he feels victims face heightened risk because kidnappers are more concerned about covering up their tracks.

“In the U.S., we have an extremely robust law enforcement community, and kidnappers are afraid they’re going to get caught. And they’re not only going to get caught they’re going to do an extremely long time in jail,” Voss says. “Outside the U.S., they’re pretty sure they won’t get caught.”

The firm hasn’t yet had to deal with a kidnapping, but Falkenberg believes it may have prevented one. He had a client in New York whose child may have been a potential target. According to school officials, a man was asking questions about the client’s child. But once Falkenberg’s firm put the man under surveillance, he disappeared.

“There can always be an innocuous excuse for behavior, but we didn’t think that was the case here. So we increased security, and the surveillance ended,” Falkenberg says. “One of the frustrating things about selling these services is that, unlike an investment advisor, we can’t prove a negative.”

Aside from kidnapping, the biggest issues clients face are home invasions and confidence games perpetrated by the people around them, Falkenberg says. For example, the firm had two ultra-wealthy clients whose college-aged sons were preyed upon by women who wanted their money. The parents had grown suspicious of the women, but their sons, who were so flattered by the women’s interest, refused to end the relationships.

Falkenberg’s firm discovered that both women had created a web of lies, about their identities, their college majors, and various other basic facts. The men ultimately terminated the relationships.

The women likely found the men in one of the college yearbooks created for entering freshmen, Falkenberg says. In general, he says, the less information that’s available about his clients, the safer they are.

“These days, there’s so much information out there about people, specifically the wealthy, that it creates security issues for them,” Falkenberg says. “Even if they make huge efforts not to draw attention to themselves, like those who vociferously guard their privacy and don’t talk to the media or take credit for their charitable foundations, they still end up in media reports on the very, very wealthy, like the Forbes list.” Some of the biggest breaches in security occur when people voluntarily give up information, he notes.

Falkenberg, who served on the security detail for the first President George Bush and then for President Bill Clinton during his 1992 presidential campaign, recommends that the wealthy keep public information about themselves vague, business-oriented and impersonal. The wealthy should be guarded about where they live, whom they know and what they do for hobbies, he says. The firm also does thorough background checks on anyone working for his clients, from nannies to landscapers.

Many of his clients, particularly hedge fund managers who have acquired enormous amounts of wealth early in life, find they and their children are living in a bubble. One of the firm’s challenges is allowing clients to live somewhat normal lives while looking out for their security.

“They’ll have a security infrastructure, but they don’t want to see or have to worry about it,” Falkenberg says. “It’s not so easy to do that.”

What makes it even harder is when clients are resistant to his security efforts. He once had an interior designer balk at the prospect of putting smoke detectors on the ceilings of each room, suggesting instead that they be put in closets. The wife of one of his clients asked that the unsightly surveillance cameras in the backyard be tucked away so far into the bushes that it rendered them useless.

The most resistant family members, he says, are children, who are warned not to put intimate details on social networks such as Facebook and MySpace. Many simply refuse to comply.

Risks don’t just occur at home, he notes. The ultra-wealthy have to be careful, perhaps even more careful, when they travel.

“When you show up and get off a Global Explorer – a $15 million private jet – people look at you differently,” he says. What predators see, he says, is opportunity.

Falkenberg had a client whose five-member family was traveling through one of the former Soviet republics 18 months ago and was detained at an airport by border officials who were apparently looking for a payoff. After six hours of detention, Falkenberg says the family was freed after his firm “negotiated” with the officials.

“We used contacts we developed in advance of the trip,” Falkenberg says, adding, “And maybe there was some payment of compensation to someone. And maybe not.”

Falkenberg says he’s seen an increase in requests for security services related to overseas tourism and business travel. It’s not surprising. Security experts say Americans traveling internationally face increased risks today to not just their safety but also their health. For that reason, Falkenberg’s firm recently partnered with a company called WorldClinic to provide emergency medical care to its clients. With a network of 4,000 doctors outside the U.S., WorldClinic provides around-the-clock medical care to clients who suffer serious illness or injury while traveling abroad.

Falkenberg believes people should hope for the best and prepare for the worst. Anne G. Donohoe, who works for Falkenberg’s public relations firm, KCSA Strategic Communications, can vouch for that. She was recently preparing for a trip to the Tuscany region of Italy when she received a call from Falkenberg, who told her to become acquainted with the plane’s exit routes and to wear sneakers on the flight, in case she has to run. He told her not to take the sneakers off until the plane is at cruising altitude, and because she was staying in a 200-year-old villa, he warned her to locate all of the exits in the building in case there was a fire.

“I told him, ‘You’re scaring me.’ And he said, ‘Great. Have a nice trip,’” Donohoe says. “Now when I travel, I keep a flashlight on me, in case there’s a power outage.”

Supply Chain Security Threats: 5 Game-Changing Forces

CSO

December 16, 2009

By LAUREN GIBBONS PAUL

As any CSO knows, it’s not enough to mind your own business. You have to look after your business partners as well, across all links that connect to your supply chain—whether that chain is physical or virtual. And that goes double in times of rapid change and high stress.

“The threat environment is constantly changing,” says Ryan Brewer, CISO for the Centers for Medicare and Medicaid Services. “Sometimes it’s hard to put your finger on what’s most important.”

Who would have thought three years ago that piracy on the supply chain would be such a big concern? Sometimes the big worry is terrorism, sometimes it’s natural disasters, lately it’s malware. Here are the top five developments CSOs say have the biggest potential to wreak havoc on their supply chains.

No. 1 Game-Changing Force: ‘Black Swan’ Events

As Nassim Nicholas Taleb explained in his 2007 book of the same name, the term “black swan” refers to an event that is high-impact, hard to predict and rare. Black swans need not be negative (as in the case of 9/11) and can present times of great opportunity, but CSOs rightfully spend their time worrying about the former scenario.

When it comes to the supply chain, black swan events can include everything from disastrous weather to global pandemicto terrorist attacks. The problem is, if you prepare for the worry du jour, you may leave yourself exposed on other fronts. Case in point: avian flu. Warned that a large-scale outbreak of Asian bird flu would put supply chains at risk, global businesses braced for the worst. Executives discussed how the supply chain might be affected if the flu broke out in China. Their plans rested on transporting and storing materials in other places around the world.

Then, early this year, H1N1 flu broke out in Mexico and spread quickly to unexpected regions like Australia. “Companies had to immediately reassess their plans because they were based on specific scenarios,” says Adam Sager, senior manager of business continuity consulting at Control Risks, a security consulting firm in Washington. This was a major wake-up call. “Companies realized they needed to better prepare for unexpected events and increase their knowledge of how their organizations could be impacted. If something is emerging on a global basis, they need to act before it affects their supply chain,” says Sager.

When a crisis hits—no matter where on the globe—you need to be able to understand and assess the situation using firsthand country- and location-specific information, says Sager. And you need bi­directional communication between crisis managers and the locale where the event is occurring. Sager notes that companies are discovering gaps between their crisis plans and their operations.

“They had security management and crisis management plans in place, but the missing link was integrating them with the business so people around the world could understand management’s position regarding critical things such as uptime, issue resolution and who’s responsible,” he says. This type of information is often not conveyed to the field in advance, a crucial error. Management needs to empower local decision-makers in advance to take action quickly to mitigate damage if certain conditions are met.

The plans have to address not just key supply chain nodes and specific scenarios that could occur, but also emerging security vulnerabilities. “That is a different mind-set and way of planning,” Sager says. “The security department has to come together with the operational/financial side of the business,” looking at all aspects of the supply chain, including where the different components are located and alternative sourcing arrangements. Sager puts his clients through tabletop testing, in which executives sit in a conference room and go through a scenario point by point with the key decision-makers, reviewing how they would respond.

Marc Siegel, commissioner for the ASIS International Global Standards Initiative, is leading the charge to develop an ISO standard for supply chain resilience. ASIS has already published SPC.1, its first organizational resilience standard, which it expects will be ready by the end of the year. “We think standards are the answer for dealing with [black swans],” Siegel says. “Companies have to develop a comprehensive [supply chain resilience] strategy because their resources are limited. This allows you to look at the full picture, rather than just separate out the different things.” For example, a strategy to prevent terrorism might work against piracy or help during an earthquake as well.

Organizations need to approach risk from a holistic standpoint, Siegel adds. “The problem with the risk du jour is that the likelihood of it happening varies so greatly between organizations that it can divert your attention away from doing a comprehensive risk assessment.” In short, it can make you take your eye off the ball.

No. 2 Game-Changing Force: The Rise of Malware

Information security matters also weigh on CSOs’ minds, though they are not as visibly related to the supply chain as physical security is. An organization (and therefore its supply chain) can be brought low by an attack on its information network as surely as it can be hurt by an attack on its cargo. Many CSOs say they are worried about botnets; two of the most pressing threats related to botnets are spam/phishing attacks on employees and the possibility of a resurgence in the denial-of-service (DoS) attacks that first appeared 10 or more years ago.

Ed Amoroso, CISO of AT&T, blames rampant technological complexity for the rise in malware. “The primary root cause for almost everything we deal with—commercial customers and everything—is complexity. The computers and networks that people set up and use have become way too complicated,” says Amoroso. Since no one knows exactly where all the connection points between systems lie, it is easy for wrongdoers to exploit them. “I’ve read that 95 percent of the spam that is floating around is botnet-originated,” he adds. “It’s all about complexity—people not knowing how to stop it on an individual, corporate and information security level.”

Like Amoroso, Joonho Lee worries a lot about the advent of integrated DoS attacks. “DoS used to be about large-volume traffic hitting your network,” says Lee, an officer for the National Incident Response Team and assistant vice president at the Federal Reserve Bank of New York. “Now, there are so many different types of attacks. It’s not just flooding you with traffic anymore. It’s flooding you with traffic that you can’t block.

“We have all the DoS protections, but I’m very skeptical about them always working. If you get hit by a 40-gig-per-second pipe, it’s going to knock you out, either your network or your provider,” says Lee. “The hackers are leveraging hundreds of thousands of machines. DoS is definitely back on the horizon.”

Rena Mears, a partner in security and privacy services for Deloitte & Touche, believes the malware supply chain is itself approaching maturity. “You go back a decade, and it was a few people doing mental gymnastics. Then we moved to an era where it was monetized [via phishing and spam]. The next step was the massive quick hit—equivalent to a bank robbery. Now we are seeing something much more insidious,” says Mears. Malware and its perpetrators are growing increasingly sophisticated.

Rather than carrying out the massive hit-and-run DoS attacks of the past, today’s malware seeks to sustain itself at a relatively low level, similar to the way a parasite survives in nature. “This is more of a constant-stream-of-revenue strategy. The malware agent can live below the organization’s pain threshold, but it siphons off information to compromise intellectual property or scoop up credit card information,” Mears says.

Lee, for one, does not believe that network service providers can adequately protect against the threats posed by new-breed malware. Amoroso of AT&T acknowledges that the situation is difficult, saying only that, like other providers, AT&T has developed multiple strategies for handling new-breed DoS attacks. He believes that the increasing popularity of thin clients will help thwart these attacks because they are simpler, with fewer moving parts to attack.

No. 3 Game-Changing Force: Economic Downturn

It is axiomatic that crime increases as the economy deteriorates. A number of threats—to physical security as well as information security—have become more pressing in the past year or so. Many CSOs expect the associated threat pool to continue to widen. Although the economy is forecast to improve slowly in the coming year or two, many experts expect the reshaped landscape will not necessarily signal a return to prosperity for all, or even most, of society. Some people will be desperate and therefore prone to desperate actions.

As the economy continues to falter, more and more people are losing their jobs, which often means losing their health insurance as well. Ray Biondo, CISO at Health Care Services (which runs four Blue Cross Blue Shield plans in Illinois), fears ongoing economic problems will cause wide-scale employee layoffs, which the company has so far managed to avoid. He fears the coming of a national healthcare plan could have the same effect. Biondo finds himself worrying more about insider threats to information and physical safety than he did a few years ago.

“I worry about internal physical threats and threats to our data. People become very anxious, and data leakage becomes an issue,” says Biondo. He believes he has taken all available measures to protect information and physical security, but he remains uneasy. Chris Falkenberg foresees increased threats to personal security, including the kidnapping of business executives abroad and attacks on high-net-worth individuals. “CSOs will have to deal with these things because they have to protect their executives,” says Falkenberg, president of security services firm Insite Security. He also worries that personal kidnapping could become a problem in the United States, though the country does not have the widespread governmental corruption that typically allows such activities to take root. He believes most CSOs do not have the internal expertise to handle this type of threat.

Lee, of the Federal Reserve Bank, believes emerging threats such as malware and attacks by insiders require stronger communication between the information security and physical security groups, as well as any other departments that get involved when there is a problem, such as legal. “There needs to be better teamwork. It’s not just training,” he says. “Even if these groups do speak to each other, they usually would just offload the case onto the other side. Everyone involved needs to know the logical next steps. There needs to be recognition of joint ownership of the problem.”

No. 4 Game-Changing Force: Data Explosion

Data is now so ubiquitous and so pervasive that people lose sight of it. Even many manufacturers today are so massively involved in data, they never think of themselves as anything other than purveyors and users of information. The level of integration companies have with their processes and business partners is something they could not have contemplated just five years ago, says Mears. The explosion in both data itself and the practice of sharing data outside organizational boundaries presents a number of different kinds of risk.

Companies of all types and sizes share infinite amounts of information with business partners. This data is constantly updated and flows back and forth. “This is a two-way chain,” says Mears. “That means you are replicating data. We used to say ‘defend the perimeter.’ Many companies don’t even have a perimeter anymore.”

Data and information are assets, but executives don’t know what they have, where it all is and who is (and isn’t) protecting it. “It is very difficult to secure data when you don’t know exactly what it is and who you’re sharing it with and no one is on the hook for those decisions,” says Mears. This reality necessitates a risk-based approach to data protection. “You cannot protect all data anymore. Not all data assets are worth the same amount. You have to be sure there is a return on that data asset, just as you would with any other asset. You should provide security commensurate with the value of the information asset,” she says.

Deloitte is advising its clients to develop a more focused response to information security. In a highly integrated global environment, companies understand that their core intellectual property is at risk, but they cannot afford to protect the daily flotsam that is part of business as usual. “Data protection is now a C-suite and a board-level issue. Executives are beginning to think about how to maximize the return on their data assets,” says Mears.

No. 5 Game-Changing Force: Regulatory Burdens

Since Sept. 11, 2001, and the passage of the Sarbanes-Oxley Act in 2002, regulatory activity has been high in virtually every industry. This is certainly true in the food/beverage/agribusiness industry, due to the obvious importance of maintaining a food supply that’s safe from contamination, whether malicious or innocent. H.R. 2749, the Food Safety Enhancement Act of 2009, just passed. And Walmart made news in 2008 when it required all of its food suppliers to comply with the stringent GFSI (Global Food Safety Initiative) standard. According to Rick Shanks, this standard above all mandates traceability within the food supply chain.

“Many food processors are not prepared to deal with the level of traceability required by the regulation,” says Shanks, national managing director of Aon Risk Services, the risk advisory division of Aon Corp. Traceability requires a high level of supply chain visibility, which has not always been available. That makes it more difficult to mitigate a food contamination incident such as salmonella in peanut butter or listeria on deli slicers. “When you have a food event, you have to be able to trace it back to its source,” says Shanks. Aon recently announced a service offering that helps food processors and producers achieve the necessary visibility.

A related force reshaping supply chains in the food and beverage industry is consumers’ increasing demand for visibility into the provenance of their food. Produce and seafood have been labeled to indicate origin for a few years now. The current “locavore” trend—which emphasizes eating locally grown food—stems in part from consumers’ beliefs that food grown and consumed nearby is less likely to become contaminated. Here, supply chains are shedding links to help allay consumer fears.

An Executive Plan for Troubled Travel

A security expert offers tips and tactics for surviving a business trip to some of the world’s most dangerous locations.

by J. Jennings Moss Mar 05 2010 Portfolio.com

Exit Strategy

by Christian L. Wright | Published May 2010

When the boss says go, it’s hard to say no—even if it means traveling to some of the less predictable corners of the globe. Christian L. Wright reports on the companies that spring business travelers out of tight spots and how to stay safe when work takes you far from home

When Justin Case (not his real name) and his brother found themselves in the middle of a violent protest high in the Andes in 2007, they called the emergency medical and security service International SOS for help. International SOS staffers immediately advised the brothers to fill the bathtub, in case a fire broke out; put money in their shoes, in case they had to run; and avoid the police station, since it was likely a target of the protesters. Within 48 hours, International SOS had returned the brothers to Lima, shaken but safe. “When I look at pictures of a war zone now,” Justin says, “it reminds me of what it was like.”

Between the narrowly averted military coup in Turkey in 2008, this winter’s sudden cholera outbreak in Mozambique, the earthquakes in Haiti and Chile, and frequent kidnappings from Mexico City to Kathmandu, it can look like a real jungle out there. In fact, the world’s a pretty safe place, with only about three percent of travelers ever falling victim to a crime and far fewer getting caught up in civil strife or natural disaster. Even so, the security industry is growing apace as increasing numbers of companies are sending more employees into remote or unstable places and realizing that it’s good business sense to contract an outside firm to help monitor their workforce overseas.

A range of U.S. security and risk management services consult with both multinational companies and individuals. For example, iJET Intelligent Risk Systems, a full-service security outfit, works primarily with corporations, tracking and supporting upwards of 400,000 business travelers in any given month (the company evacuated 186 clients from Haiti after the January earthquake). On the other hand, half the travelers who hire Clayton Consultants, which specializes in kidnapping, are private individuals. International SOS and Assist America are essentially medical emergency services—think of them as an international 911—sometimes working in concert with risk management experts. And then there are companies like Granite Intelligence, in New York, that offer executive protection—in other words, bodyguards. “It’s not unlike what the secret service does for the president but on a much smaller scale,” says Jeffrey Mueller, co-founder of Granite.

Still, despite the growth in the security industry, a 2007 survey conducted by the U.K.-based firm Control Risks revealed that half of U.S. business travelers polled reported that there was no clear travel security policy at their company and 23 percent said their firm provided no security support at all. Clearly, for business as well as leisure travelers, it’s ultimately up to the individual to be his or her own best risk manager. According to Randy Spivey, CEO and founder of the Center for Personal Protection & Safety, the degree of risk abroad can be summed up by three factors. “Where you’re going, whom you work for, and what you’re doing there. If you’re tied to the coffee industry,” he explains, “in certain parts of Latin America that’s a threat to the drug trade.” In general, one of the biggest threats to the international business traveler is kidnapping—Clayton Consultants handled 40 cases worldwide in 2009—particularly in Latin America, where fully half of all kidnaps-for-ransom take place. Kidnap risk is also higher in oil-rich parts of Africa and the Middle East and in Southeast Asia, where growing economies are attracting more foreigners looking to drum up business. Threats of terrorism are particularly high in Afghanistan, India, Iraq, Pakistan, Sudan, and Yemen. Civil unrest and natural disasters round out the list.

ALL IN THE PREPARATION

You don’t have to hire a security expert to reduce your chances of ending up in a tight spot overseas. In fact, a little preparation can go a long way in minimizing risk and putting you in the best position to respond to the unexpected. “Be a bit obsessive-compulsive” in your planning, advises James Moulton, field security officer for the Global Fund to Fight AIDS, Tuberculosis and Malaria, who has lived and worked in Haiti and the Niger Delta. Moulton and others recommend that travelers to off-the-beaten-path destinations study up on the history, culture, customs, government, religions, and possible risks (natural as well as man-made) well before departure. For instance, if you’re scheduled to head to a politically unstable country and you learn that you’ll be there during its national elections, you might want to change your travel dates. If your company has no library of dossiers on every place the boss might send you, or hasn’t hired an outside company that does, you can refer to the U.S. State Department alerts and advisories online (state.gov/travel), and you can tailor daily e-mail digests from the Overseas Security Advisory Council (osac.gov) to stay current on regions that are of interest to you. To further understand conditions on the ground, some broad overview maps are available online, such as the Risk Atlas from the magazine Risk Management, and ASI Global’s Kidnap & Ransom Threat Map (www.asiglobalresponse.com/downloads/KR_threat_map.pdf).

In an age when the ability to make a phone call or send an e-mail is taken for granted, it’s easy to overlook the issue of communications on a trip abroad. Big mistake. “Your ability to communicate on a moment’s notice could be the difference between life and death,” says Alex Puig, a director at Travel Security Services, a joint venture between Control Risks and International SOS. The Global Fund’s Moulton agrees. “During a coup or rumors of one, the first thing to go down is the telephone network, at precisely the time you need it most.” The answer? A satellite phone, especially “in volatile environments or remote areas where power and cell phone coverage cannot be guaranteed,” Moulton says.

In most parts of the world, though, even the humble cell phone can be a powerful tool in times of trouble. Text messaging, for instance, is still a viable way to communicate when phones are jammed and you can’t make a call. There’s even a 99-cent app called iWitness, available on iTunes, that works on the iPhone and BlackBerry and sends up to 15 contacts a distress signal, notifying them of your whereabouts when you activate the alarm.

Sometimes a phone call is all that’s needed to get you out of a jam. A few years ago, when a car carrying some American businessmen in a remote part of India hit a rickshaw, an angry crowd of about 300 quickly gathered. Although the car was driven by an Indian, the crowd wanted to lynch the Americans. Luckily, they were able to phone colleagues in the vicinity, who quickly came and ushered them to safety.

THE BEST DEFENSE

CLAYTON CONSULTANTS Analyzes the risk potential for any given trip; offers skills training, including lessons in evasive driving and handling firearms; provides response teams for kidnap-for-ransom, extortion, and wrongful detention. Cost: $1,500-$3,000 per consultant per day.

GRANITE INTELLIGENCE Sends an advance team to secure the destination; coordinates safe transportation; vets hotels; provides bodyguards; conducts counter-surveillance and background checks. Cost: $5,000-$20,000 per day, depending on the destination and number of personnel.

iJET INTELLIGENT RISK SYSTEMS Provides destination reports and safety advice; dispenses real-time alerts to e-mail addresses or phones; monitors airlines safety standards; vets hotels; staffs a 24-hour hotline; arranges emergency evacuations. Cost: $5,000 per year for an organization.

INSITE SECURITY Geared to top executives and high-net-worth individuals; sends an advance team to secure the destination; vets hotels; coordinates safe transportation; conducts counter-­surveillance, emergency evacuations, and kidnap-and-ransom negotiations. Cost: From $6,000 for an individual trip.

TRAVEL SECURITY SERVICES This joint venture between International SOS and Control Risks staffs a 24-hour security and medical hotline and arranges evacuations. Cost: From $435 per year for independent travelers.

By MATTHEW HARWOOD

Published on Security Management

Christopher Falkenberg and Christopher Voss discuss the threat of an executive or employee kidnapping and why the Southwest could see an increase in such crimes.

Christopher Falkenberg, president of Insite Security, is a corporate and personal security expert. He is a former U.S. Secret Service Agent and attorney. While with the Secret Service, Mr. Falkenberg conducted numerous protective advances for the President, government officials both here and abroad and visiting dignitaries. At Insite Security, he regularly consults with Fortune 1000 companies and high-net-worth individuals on threat assessments and management, executive and family protection, security training, evacuation training, workplace security, disaster recovery planning and much more.

Christopher Voss joined Insite Security in 2009, as the managing director and leader of the firm’s Kidnapping Resolution Practice. His role is to address the security needs and protection of corporate employees and high-net-worth individuals. Mr. Voss received his training on hostage survival and negotiations during his 24-year tenure with the Federal Bureau of Investigation (FBI). Throughout his career, Mr. Voss has negotiated more than 150 hostage releases and was awarded the FBI Agent’s Association Award for Distinguished and Exemplary Service and the Attorney General’s Award for Excellence in Law Enforcement.

At 4:30 pm on Thursday, October 14, Falkenberg and Voss will conduct the session “Corporate Kidnapping: Preparing Management for the Unthinkable” at the ASIS International 56th Annual Seminar and Exhibits. The session will discuss how a company can integrate a working plan into its existing decision-making structure, raise awareness of ethical and legal parameters surrounding a kidnapping, and prepare security professionals and executives to handle conversations with a professional kidnapping negotiator.

What are you gentlemen presenting on during seminar?

Voss: As we continue to help companies understand corporate kidnapping cases, there are some consistent types of misperceptions or disconnects in these types of cases that we are seeing.We’d like to take this chance at the ASIS seminar to help people understand what they’re getting into.

When most companies deal with a kidnapping it’s probably their first time. And since they’re used to dealing with a high-pressure environment, they don’t quite understand how their approach to problem solving doesn’t quite translate to this environment. I get asked the same questions over and over by experienced CEOs who deal with stressful situations and they just need some help in understanding their current approach to problems and how it needs to be tweaked during a kidnapping.

What are those questions?

Voss: One organization we talked to had a sister organization that had someone kidnapped. The CEO called me back and asked me if I had been following it in the press. I had been aware of it, but I hadn’t been following it closely and I told the CEO that. And the CEO said, “Take a good look at it and I think this kidnapping is going to be the model for all kidnappings of this type.” I thought all right, maybe there’s something unusual here, I’ll take a closer look at it. And I did, and I looked at the reporting on it and there was absolutely nothing remarkable about the case. It was a cookie-cutter case like dozens and dozens just like it in the 150 cases that I’ve seen. So my question was this: “If this is not a new case, then the issue is it’s new to this CEO.” CEOs aren’t used to getting hit by things that are new to them. So if it’s completely new to them, they think it must be new to the world. Because in their world, they’re so experienced: they know what they’re doing. I realized that kidnapping tests people who aren’t used to being caught off guard.

When you guys go out and work, how much resistance do you receive from your customers?

Voss: We don’t get resistance once we have been hired. It’s helping them understand what the need is and what the possibilities are. It’s a little bit like trying to describe a jet airplane to a person who has only flown in propeller-driven planes. For example, if you’re flying a Corsair from World War II and someone tries to describe what it’s like to be in a supersonic plane.The Corsair pilot thinks they’ve got the fastest, most agile fighter out there. It’s hard to describe something faster.So it’s trying to help people grasp something that they have no way of understanding, because they’ve never been in the situation before, and they’re so experienced in their own worldview that they have trouble believing that this situation is different.

What types of companies need to seek out Insite’s expertise? I would think the vast majority of businesses don’t really need kidnap protection strategies.

Falkenberg: I disagree with that characterization. I think any business that does any work abroad, sends its employees abroad, has employees that live abroad, or has responsibilities for contractors or subcontractors that operate abroad should be concerned about kidnapping. I also think we’re heading toward a period where companies that have significant operations in Southwestern states like California, Texas, and Arizona all have to be concerned about this.

There are two issues. Obviously, kidnap for ransom is much more prominent abroad than it is within the United States. Obviously firms that exclusively send their employees to the United Kingdom or Germany have to be concerned less than companies that send employees to Mexico and Ecuador. Any of these countries that have kidnapping operations – Asia, South America, Africa, and the Middle East – have to do this. Vis-a-vis U.S. operations, it is becoming quite clear that the incidents of kidnapping for ransom in the Southwest, principally in areas where there is a lot of Mexican-American gang involvement, is increasing. Today, most of the targets of that type of kidnapping are poor people who have a background similar to the perpetrators. It seems inevitable to us that because ransom rates are so much higher when you start kidnapping wealthier people that that’s going to happen in the United States, in these areas in particular, and that companies that operate there should have a plan in place. I think Chris will tell you the trajectory of a domestic kidnapping in Texas, Arizona, or California is quite different than what it is abroad and far more dangerous.

Is the divide between kidnapping for money and kidnapping to kill?

Voss: In a domestic U.S. kidnapping, the kidnappers know that there’s a higher likelihood that they’re going to be caught, which makes the victim a liability. And the victim is the best witness against the kidnappers. Because of the penalties in the U.S. for kidnapping – they’re not only going to get caught but the law is going to be enforced.They are going to do life in prison, if not potentially face the death penalty. Therefore they must get rid of that key witness. Internationally, kidnappers are not faced with those kinds of penalties, so the witness is not that much of a liability and that’s the principal difference.They can let a witness be ransomed out internationally and be quite comfortable that more than likely that witness is not going to testify against them, so the victim is no longer a threat.

So the lesson here is that there’s a greater likelihood of getting kidnapped overseas but also a greater likelihood of surviving the ordeal?

Voss: If you’re kidnapped overseas, the chances you’ll survive is very high, physically. Now how you survive psychologically – if you ever regain your life again – that is another question. I know many kidnap victims who were kidnapped five, six, seven years ago, they’re still not over it. That has much more to do with how that kidnapping is handled while you are in captivity.

So many kidnapping victims essentially get PTSD?

Voss: Exactly, not only the victims, but the families get it. There are studies that indicate that the families of kidnap victims are suffering PTSD at roughly the same rates as the kidnap victims themselves are.

Looking ahead, have we seen a greater escalation in kidnapping rates all across the world over time?

Voss: Internationally, for political reasons, the kidnapping rates around the world jumped coincidentally with the end of the second Iraq War. Now as a general rule, it’s pretty much stayed the same worldwide, but it tends to move around. For example, the kidnap rate in Haiti three years ago was extremely high. In the FBI Crisis Negotiation Unit, we dealt in early 2005 to late 2006 with probably over 150 kidnappings in Haiti alone. There were so many of them that we had to spread them out throughout the Crisis Negotiation Unit. While that rate has gotten much lower in Haiti, Mexico has jumped up. Mexican kidnappings are being exported down into Central America since the Mexicans have created such an efficient and lucrative model for kidnapping.Drug gangs are making more money off of kidnapping then they were drug dealing. It’s like a virus that spreads.

What are the greatest kidnapping threats facing American companies? Do you feel the threat is bigger internally in the Southwest or is it anywhere people travel?

Voss: The Southwest is a growing threat because the Mexican- American gang problem is getting out of control and it’s an extremely lucrative business. And if American companies do business overseas, they think that they’re safer if they don’t send American workers. But the reality is that the local businessman is a higher target anyway. A typical American such as myself, I walk into Tijuana, I probably won’t get kidnapped. I could probably get shot and killed, either by stray gunfire or someone trying to murder me, but they don’t like kidnapping in Tijuana. Now the company I’m working for or that I own, if I decide in order to be safer I’ll send someone that lives in Tijuana, that’s their target anyway.

What’s the reason behind that?

Voss: Any kidnapping industry that has any maturity knows that if it kidnaps a U.S. citizen, the U.S. government is going to get involved. And they don’t want Uncle Sam and all those resources coming across the border. History has shown that as long as local citizens are getting kidnapped in Mexico, the U.S. is not getting heavily involved. They’ve come to learn that it’s very practical—every now and then they’ll accidentally grab an American citizen. But I’ve seen Americans pushed out of the way in order to grab what they thought was a local citizen who happened to be a dual-national. So every time they grab an American citizen, suddenly Uncle Sam’s law enforcement and resources are focused on that. So they’ll do it once or twice by accident and then they’ll come to realize that as long as they don’t grab Americans, then Uncle Sam doesn’t come across the border. That’s when they start to take the business associates of the companies that are doing business down in these countries.

What’s really worrisome about the Southwest then if the kidnappers are going to be reluctant to come across and kidnap any Americans?

Voss: They’re going to kidnap the Mexican-American businessman that we’re trying to do business with and they’re coming across the border to take them.

So the kidnappers know their intended victims’ travels and they pick a weak point to grab them?

Voss: Kidnappers go after low-hanging fruit. They’re going to pick the people that are easy to get and they’re going after more and more legit businessmen, so if I’m going to do business in Mexico and I hire a Mexican-American to do business for me, that’s the guy they’re going to go after.

So where does the kidnapping threat to companies in the Southwest come from if kidnappers are afraid to grab them inside the United States?

Falkenberg: In the Southwest you have either members or former members of gangs who live there. And those are the people who are engaging in kidnappings now of other ethnic Mexicans, and their sights are entirely likely to shift up the food chain, I think.

You fear they’re going to go after bigger fish?

Falkenberg: Yes, it’s a business. If you can achieve a five or ten thousand dollar ransom in kidnapping someone from the neighborhood and realize you can achieve a $100,000 ransom kidnapping somebody who lives in an affluent area or is coming out of corporate business park, it’s inevitable that that’s going to occur. And it’s also inevitable that it will be a much more dangerous situation for the victim because law enforcement will get involved and the perpetrators will be really concerned about getting caught because they don’t have collusive policemen to protect them as they do in foreign countries.

What do you say to the companies that don’t have a lot of resources but do want to develop kidnapping response plans? How should they go about that?

Falkenberg: It doesn’t require deep pockets to do the planning. None of this is incredibly expensive when you consider the risk. It’s not costly to engage a consultant to help you plan this. I think it’s rare that you’re going to find a real company that hasn’t looked at their crisis management plan, which has either hired someone in-house or sought some assistance on their disaster preparedness plan or business continuity plan or crisis management plan. A kidnapping is a crisis, but it’s a particular type of crisis, so it doesn’t require a multinational company with millions in a security budget to fully prepare. Nor does it require a ransom payment. But is there self-help guidance that we can offer? Yes, I think we’ll try to offer that at the seminar.

Voss: Seminar attendees should be able to check into the U.S. policy on their own and prep their own legal counsel. And we’ll tell them exactly what to do and how to prep them in order to do that. They should be able to begin to involve their own H.R. team to be able to minimize the traumatic stress damage to the victim and everyone else who is going to suffer traumatic stress. It’s understanding that the victims here aren’t just the kidnap victims but there are other people that are going to be damaged, potentially to the point of not being able to function as a result of the kidnapping. And they’re not even the victim.